A major bug in macOS High Sierra 10.13.1 and the current beta version (10.13.2) lets anyone get administrator privileges on your Mac without needing a password.
Administrator privileges essentially allow a user to do anything they want with a Mac. This includes the changing of settings, installing any and all types of programs, adding and removing users, etc. Think of it as leaving your front door unlocked.
Any user can simply head to the Users and Groups section of System Preferences, click the lock icon to make changes and type in “root” as the username. You then click on the password field and hit Unlock. You now have admin privileges on the Mac.
The bug can also be exploited to get into a locked Mac.
Speaking to MacRumours, an Apple spokesperson has acknowledged the bug and stated that a patch is being worked on. The spokesperson also suggested a temporary fix for the issue.
"We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorised access to your Mac. To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the 'Change the root password' section."
Updated Date: Nov 29, 2017 09:56 AM